Right-Sizing Insurance Requirements for Better Third-Party Vendor Onboarding
July 1, 2021
Third-party insurance requirements are often set from the perspective of a business’ risk managers, general counsel, and other GRC executives. Such requirements are best enforced through a lightweight, expedient process that supports business objectives, matches vendor requirements to the exposure they present, and mitigates the many risks that can arise from such third-party relationships.
There’s a very good reason for effective compliance programs. The Federal Deposit Insurance Corporation (FDIC) provides some very detailed guidance for managing third-party risk, explaining that failure to do so can “expose an institution to regulatory action, financial loss, litigation and reputation damage, and may even impair the institution’s ability to establish new or service existing customer relationships.”
FDIC specifically recommends that companies implement performance monitoring to manage their third-party risk — which includes verifying the adequacy of the third party’s insurance coverage —in order to effectively protect your business through a transfer of risk.
From a compliance standpoint, it’s no wonder that businesses feel safer and more comfortable when their risk and compliance executives are setting the insurance requirements, but the downside is that these professionals often err on the side of extreme caution and, in doing so, end up setting the bar too high for most third parties to achieve compliance with their standards.
In our new research report, Evident found that 75% of third-party vendors, suppliers, franchisees, and other partners do not meet the insurance requirements established by the companies that hire them.
Our data shows that 4% of the third parties that were non-compliant had decided they no longer wanted to meet the company’s insurance requirements for one reason or another. More often than not, it was due to the fact that achieving compliance with insurance standards would cost more money than they’d actually make from doing business with the company.
If, for example, a company’s risk manager requires all third-party vendors to carry a minimum coverage of $2M in general liability, and the next year, increases the required coverage limit to $5M, the cost of their rising premiums may outweigh the potential profit gained from the business relationship.
Increasing the number of compliance criteria can sometimes be a helpful and intentional way to diminish the number of undesirable vendor candidates, but the company needs to confirm that these strict requirements best align with their business objectives — like supporting growth while reducing risk. Evident’s average customer, for example, has 23 insurance compliance criteria, but some customers have more than 50. How many compliance criteria your business has will depend entirely on the industry-related risks your company faces.
If a company is experiencing lower-than-average compliance rates and are losing desirable third-party partners, they’ll need to take a long, hard look at their requirements and weigh the pros and cons of having too-rigid third-party insurance standards. There should ideally be a trade-off between compliance and coverage, but instead, most companies’ insurance requirements are often overly focused on reducing every single risk without considering how such an extensive list will affect their ability to comply.
When crafting third-party insurance requirements, companies need to strike the right balance between adequate coverage and ability to demonstrate compliance to develop criteria that incorporate not only legal and insurance needs, but also business operations. The goal for most risk managers or GRC program operators is to achieve 100% compliance with third-party insurance requirements, but if operational results are closer to 25% (which is what our data suggests,) then there needs to be an appropriate right-sizing of requirements.
Companies should start by assessing their portfolio of partners and coverages to identify the highest risks, and then review any rules or coverage amounts that usually result in an exception request, as these are good indicators of areas where third party partners get “stuck” in the verification process.
Automating the verification process makes it easier for businesses to convert new and existing vendors into compliant partners, which not only reduces overall third-party risk, but also helps companies diversify and onboard new vendors safer and faster than ever before.